src/imap-login/client-authenticate.c

	client-authenticate.c revision 9439bed2f07d6475febd8a247cd2f0990fb32a13
a8c5a86d183db25a57bf193c06b41e092ec2e151Timo Sirainen/* Copyright (C) 2002-2004 Timo Sirainen */
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen#include "common.h"
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen#include "base64.h"
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen#include "buffer.h"
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen#include "ioloop.h"
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen#include "istream.h"
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen#include "ostream.h"
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen#include "safe-memset.h"
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen#include "str.h"
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen#include "str-sanitize.h"
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen#include "imap-parser.h"
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen#include "auth-client.h"
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen#include "client.h"
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen#include "client-authenticate.h"
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen#include "imap-proxy.h"
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen#include <stdlib.h>
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainenconst char *client_authenticate_get_capabilities(int secured)
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen{
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    const struct auth_mech_desc *mech;
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    unsigned int i, count;
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    string_t *str;
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    str = t_str_new(128);
395682d473b161c86165e7b9323ce4e45afb94bdTimo Sirainen    mech = auth_client_get_available_mechs(auth_client, &count);
395682d473b161c86165e7b9323ce4e45afb94bdTimo Sirainen    for (i = 0; i < count; i++) {
072f06b60d69fe9456c3fffe20e72a7d09f2825dTimo Sirainen        /* a) transport is secured
395682d473b161c86165e7b9323ce4e45afb94bdTimo Sirainen           b) auth mechanism isn't plaintext
395682d473b161c86165e7b9323ce4e45afb94bdTimo Sirainen           c) we allow insecure authentication
395682d473b161c86165e7b9323ce4e45afb94bdTimo Sirainen        */
395682d473b161c86165e7b9323ce4e45afb94bdTimo Sirainen        if ((mech[i].flags & MECH_SEC_PRIVATE) == 0 &&
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen            (secured || !disable_plaintext_auth ||
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen             (mech[i].flags & MECH_SEC_PLAINTEXT) == 0)) {
395682d473b161c86165e7b9323ce4e45afb94bdTimo Sirainen            str_append_c(str, ' ');
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen            str_append(str, "AUTH=");
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen            str_append(str, mech[i].name);
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen        }
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen    }
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen    return str_c(str);
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen}
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainenstatic void client_auth_input(void *context)
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen{
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen    struct imap_client *client = context;
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    char *line;
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    if (!client_read(client))
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        return;
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen    if (client->skip_line) {
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen        if (i_stream_next_line(client->input) == NULL)
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen            return;
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen        client->skip_line = FALSE;
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen    }
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen    /* @UNSAFE */
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen    line = i_stream_next_line(client->input);
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen    if (line == NULL)
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen        return;
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen    if (strcmp(line, "*") == 0) {
51327f2489a4e0e615eb9f7d921473cf8512bb79Timo Sirainen        sasl_server_auth_cancel(&client->common,
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen                    "Authentication aborted");
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen        return;
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen    }
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen    if (client->common.auth_request == NULL) {
31a574fda352ef4f71dbff9c30e15e4744e132c0Timo Sirainen        sasl_server_auth_cancel(&client->common,
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen                    "Don't send unrequested data");
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen    } else {
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen        auth_client_request_continue(client->common.auth_request, line);
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen    }
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    /* clear sensitive data */
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    safe_memset(line, 0, strlen(line));
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen}
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainenstatic int client_handle_args(struct imap_client *client,
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen                  const char *const *args, int nologin)
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen{
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    const char *reason = NULL, *host = NULL, *destuser = NULL, *pass = NULL;
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen    string_t *reply;
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen    unsigned int port = 143;
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen    int proxy = FALSE, temp = FALSE;
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen    for (; *args != NULL; args++) {
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen        if (strcmp(*args, "nologin") == 0)
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen            nologin = TRUE;
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen        else if (strcmp(*args, "proxy") == 0)
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen            proxy = TRUE;
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        else if (strcmp(*args, "temp") == 0)
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen            temp = TRUE;
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        else if (strncmp(*args, "reason=", 7) == 0)
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen            reason = *args + 7;
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen        else if (strncmp(*args, "host=", 5) == 0)
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen            host = *args + 5;
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen        else if (strncmp(*args, "port=", 5) == 0)
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen            port = atoi(*args + 5);
e2d268e9531227ead6a98466ecf3c046c857ef70Timo Sirainen        else if (strncmp(*args, "destuser=", 9) == 0)
e2d268e9531227ead6a98466ecf3c046c857ef70Timo Sirainen            destuser = *args + 9;
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen        else if (strncmp(*args, "pass=", 5) == 0)
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen            pass = *args + 5;
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen    }
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    if (destuser == NULL)
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen        destuser = client->common.virtual_user;
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen
99695d99930b35c2bac85d52e976b44cf8485d83Timo Sirainen    if (proxy) {
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        /* we want to proxy the connection to another server.
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen           proxy host=.. [port=..] [destuser=..] pass=.. */
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        if (imap_proxy_new(client, host, port, destuser, pass) < 0)
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen            client_destroy_internal_failure(client);
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        return TRUE;
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    }
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen    if (host != NULL) {
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        /* IMAP referral
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen           [nologin] referral host=.. [port=..] [destuser=..]
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen           [reason=..]
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen           NO [REFERRAL imap://destuser;AUTH=..@host:port/] Can't login.
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen           OK [...] Logged in, but you should use this server instead.
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen           .. [REFERRAL ..] (Reason from auth server)
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        */
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        reply = t_str_new(128);
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        str_append(reply, nologin ? "NO " : "OK ");
44320b37d20bb75e0d433423318db2f4e29d5b91Timo Sirainen        str_printfa(reply, "[REFERRAL imap://%s;AUTH=%s@%s",
44320b37d20bb75e0d433423318db2f4e29d5b91Timo Sirainen                destuser, client->common.auth_mech_name, host);
44320b37d20bb75e0d433423318db2f4e29d5b91Timo Sirainen        if (port != 143)
44320b37d20bb75e0d433423318db2f4e29d5b91Timo Sirainen            str_printfa(reply, ":%u", port);
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        str_append(reply, "/] ");
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        if (reason != NULL)
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen            str_append(reply, reason);
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        else if (nologin)
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen            str_append(reply, "Try this server instead.");
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        else {
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen            str_append(reply, "Logged in, but you should use "
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen                   "this server instead.");
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen        }
44320b37d20bb75e0d433423318db2f4e29d5b91Timo Sirainen        client_send_tagline(client, str_c(reply));
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        if (!nologin) {
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen            client_destroy(client, "Login with referral");
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen            return TRUE;
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        }
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen    } else if (nologin) {
eb0816090cf5a549280ad783b9aa6fec199d36baTimo Sirainen        /* Authentication went ok, but for some reason user isn't
363929157786b549c80630bda3c3575f5115c6c5Timo Sirainen           allowed to log in. Shouldn't probably happen. */
4182d8cd818e76856a5a1e25b343fe5ddf69fd8eTimo Sirainen        reply = t_str_new(128);
18a41cbd38f83429b790414c1159c097af4a59b8Timo Sirainen        if (reason != NULL)
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen            str_printfa(reply, "NO %s", reason);
c115c742f730e312d6b6ab5064595cd0d8b4e26eTimo Sirainen        else if (temp)
            str_append(reply, "NO "AUTH_TEMP_FAILED_MSG);
        else
            str_append(reply, "NO "AUTH_FAILED_MSG);
        client_send_tagline(client, str_c(reply));
    } else {
        /* normal login/failure */
        return FALSE;
    }

    i_assert(nologin);

    /* get back to normal client input. */
    if (client->io != NULL)
        io_remove(client->io);
    client->io = io_add(client->common.fd, IO_READ, client_input, client);
    return TRUE;
}

static void sasl_callback(struct client *_client, enum sasl_server_reply reply,
              const char *data, const char *const *args)
{
    struct imap_client *client = (struct imap_client *)_client;
    struct const_iovec iov[3];
    size_t data_len;
    ssize_t ret;

    switch (reply) {
    case SASL_SERVER_REPLY_SUCCESS:
        if (args != NULL) {
            if (client_handle_args(client, args, FALSE))
                break;
        }

        client_send_tagline(client, "OK Logged in.");
        client_destroy(client, "Login");
        break;
    case SASL_SERVER_REPLY_AUTH_FAILED:
        if (args != NULL) {
            if (client_handle_args(client, args, TRUE))
                break;
        }

        client_send_tagline(client, "NO "AUTH_FAILED_MSG);

        /* get back to normal client input. */
        if (client->io != NULL)
            io_remove(client->io);
        client->io = io_add(client->common.fd, IO_READ,
                    client_input, client);
        break;
    case SASL_SERVER_REPLY_MASTER_FAILED:
        client_destroy_internal_failure(client);
        break;
    case SASL_SERVER_REPLY_CONTINUE:
        data_len = strlen(data);
        iov[0].iov_base = "+ ";
        iov[0].iov_len = 2;
        iov[1].iov_base = data;
        iov[1].iov_len = data_len;
        iov[2].iov_base = "\r\n";
        iov[2].iov_len = 2;

        ret = o_stream_sendv(client->output, iov, 3);
        if (ret < 0)
            client_destroy(client, "Disconnected");
        else if ((size_t)ret != 2 + data_len + 2)
            client_destroy(client, "Transmit buffer full");
        else {
            /* continue */
            return;
        }
        break;
    }

    client_unref(client);
}

int cmd_authenticate(struct imap_client *client, struct imap_arg *args)
{
    const char *mech_name;

    /* we want only one argument: authentication mechanism name */
    if (args[0].type != IMAP_ARG_ATOM && args[0].type != IMAP_ARG_STRING)
        return -1;
    if (args[1].type != IMAP_ARG_EOL)
        return -1;

    mech_name = IMAP_ARG_STR(&args[0]);
    if (*mech_name == '\0')
        return FALSE;

    client_ref(client);
    sasl_server_auth_begin(&client->common, "IMAP", mech_name, NULL,
                   sasl_callback);
    if (!client->common.authenticating)
        return 1;

    /* following input data will go to authentication */
    if (client->io != NULL)
        io_remove(client->io);
    client->io = io_add(client->common.fd, IO_READ,
                client_auth_input, client);
    return 0;
}

int cmd_login(struct imap_client *client, struct imap_arg *args)
{
    const char *user, *pass;
    string_t *plain_login, *base64;

    /* two arguments: username and password */
    if (args[0].type != IMAP_ARG_ATOM && args[0].type != IMAP_ARG_STRING)
        return -1;
    if (args[1].type != IMAP_ARG_ATOM && args[1].type != IMAP_ARG_STRING)
        return -1;
    if (args[2].type != IMAP_ARG_EOL)
        return -1;

    user = IMAP_ARG_STR(&args[0]);
    pass = IMAP_ARG_STR(&args[1]);

    if (!client->common.secured && disable_plaintext_auth) {
        if (verbose_auth) {
            client_syslog(&client->common, "Login failed: "
                      "Plaintext authentication disabled");
        }
        client_send_line(client,
            "* BAD [ALERT] Plaintext authentication is disabled, "
            "but your client sent password in plaintext anyway. "
            "If anyone was listening, the password was exposed.");
        client_send_tagline(client,
                    "NO Plaintext authentication disabled.");
        return 1;
    }

    /* authorization ID \0 authentication ID \0 pass */
    plain_login = buffer_create_dynamic(pool_datastack_create(), 64);
    buffer_append_c(plain_login, '\0');
    buffer_append(plain_login, user, strlen(user));
    buffer_append_c(plain_login, '\0');
    buffer_append(plain_login, pass, strlen(pass));

    base64 = buffer_create_dynamic(pool_datastack_create(),
                    MAX_BASE64_ENCODED_SIZE(plain_login->used));
    base64_encode(plain_login->data, plain_login->used, base64);

    client_ref(client);
    sasl_server_auth_begin(&client->common, "IMAP", "PLAIN",
                   str_c(base64), sasl_callback);
    if (!client->common.authenticating)
        return 1;

    /* don't read any input from client until login is finished */
    if (client->io != NULL) {
        io_remove(client->io);
        client->io = NULL;
    }

    return 0;
}